Nortel Breach Exposes Security Vulnerabilities of All Enterprises

Nortel is dealing with the fallout from a 10-year data breach that exposed thousands of sensitive company documents to cyber-spies. The question security experts now are asking is how many other enterprises are also vulnerable to a similar attack?

The decade-long security breach at Nortel, where thousands of company documents were exposed, is just a one example of how vulnerable corporations are to cyber-espionage. What's even more worrisome is the likelihood that even more businesses are currently breached and not aware of it, security experts said.

CIOs, CTOs and CSOs have long known that this type of extended and invasive breach was a "possibility" and "likely occurring" in a number of companies, said Mike Logan, president of Axis Technology.

Industrial espionage is not new, as perpetrators try to bridge technology gaps by stealing from others. Companies can bypass years of research and development by somehow obtaining technical documents, prototypes and other sensitive information. This can allow them to create products that are highly similar, or underbid competitors because they don't have to take into account their research and development costs.

The Internet has made spying "so much easier," Chris Petersen, CTO of LogRhythm wrote on the company blog. It's just a matter of compromising a password, logging in to the system, and getting down to business, Petersen wrote.

"How many other US corporations are breached and leaking right now? Personally, I'm afraid we'd be appalled by the number -- it is likely very high," said Petersen.

Nortel first discovered the breach in 2004 when IT staff noticed a suspicious set of documents being downloaded by an executive, according to a Feb. 14 report in the Wall Street Journal. It turned out attackers had accessed the network using login credentials stolen from seven senior executives as early as 2000 and sensitive information was being transmitted back to a computer with a Chinese IP address.

Although some at the company were aware of the breach, Nortel's own IT security department was still discovering spyware rootkits were placed on some of the company's computers as late as 2009.

At the time, this operation would have been considered "sophisticated," but now would be considered "pedestrian," said Anup Ghosh, founder of Invincea.

The "unsettling truth" is that these types of attacks can still work today, said Ghosh. Enterprises are focusing heavily on the network perimeter and not securing the inside as well.

The Aurora attacks, the RSA breach and other attacks identified in 2011 clearly demonstrated that corporations are under constant threat from nation states such as China seeking shortcuts to technological advances, said Neil Roiter, research director of Corero Network Security.

It is expensive and time-intensive to extensively investigate a breach, and companies often stop as soon as they get reports that everything is fine, said Logan. Nortel changed passwords and monitored certain activity before declaring the job done. It did not search extensively for other malicious activity or continue monitoring, which allowed these attacks to continue for several years.

Stopping the internal investigation too soon can be "devastating," said Logan.

The failure of Nortel, which many viewed as an "innovative and sophisticated IT company," fully investigate and then address the risks posed by this data breach is "puzzling," Roiter said.

It's possible the company underestimated the risks eight years ago, Roiter added. Recent events may also lead to more aggressive monitoring of enterprise networks to detect suspicious outbound traffic and other activity in the event of a breach.

The new guidelines from the U.S. Securities Exchange Commission for organizations to disclose breaches and any security risks that may have a material impact on the company's operations that may result in more disclosures, said Roiter said. Companies will be more upfront about these events for the sake of the business community at large. If the guidelines had been in place even a few years ago, Nortel would likely have had to disclose the incident.

Even if Nortel was not sure what intellectual property had been stolen, the fact that computers belonging to key executives were compromised is material enough.

The guidelines will also force organizations to start thinking about preventive measures to stop the attack before it gets through the network, said Ghosh. "The more disclosure we see, the more likely we are to adopt innovative solutions that defend against these types of attacks," he said.